AWS on My Notes

AWS: IAM

Mon, 01 Jan 0001 00:00:00 +0000

IAM#

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

Root User#

Every account has a root user in AWS. A root user is something that’s created automatically for you whenever you create an AWS account.
Every single AWS account has a root user.
The trouble is that root users have unrestricted access to every service and resource that is in AWS inside of your account.
The permissions of root user can’t be restricted in any way.

Dos and Don’ts#

You should not be accessing the root account on a regular basis, whether that’s daily, weekly, or whatever.
Make sure that you turn on multi-factor authentication on the root account. Multi-factor authentication used to be called two-factor authentication. It really just means that we know the password and we have some sort of a token that we will get a number generated. It’s something that you might even use your smartphone for. But it now means that I have to know the username and password and I have to have this token that’s going to generate a code. We’ll see more about how you’ll do that later.
Make sure that you’ve disabled your root access keys. This isn’t the interactive login for root, it has to do with how we can access the account programmatically.
Make sure that you rotate the credentials. Just because we say don’t log in doesn’t mean set the password and then forget it.
Don’t share the root user credentials. password. And all that the audit logs show is that root logged in and did the job. Kind of dangerous.
Make sure that you create a user that has administrative privileges that’s assigned to you and that you know the password only.

Features & Functions#

Allows user to have very secure access including through the use of multi-factor authentication and federation.
Grant user a lot of granular control over the specific resources.
Grant temporary access to different people.
Simplify the number of logins by using federating identities
Integrate the IAM solution is with all of the different products that AWS offers.

MFA#

MFA stands for multi-factor authentication
Extra layer of security.
Prevent against imposters, somebody who just happened to guess the right password or happened to actually shoulder surf and watch somebody key in their username and password.

IAM User#

It is an entity that you create in AWS. The IAM user represents the person or service who uses the IAM user to interact with AWS. A primary use for IAM users is to give people the ability to sign in to the AWS Management Console for interactive tasks and to make programmatic requests to AWS services using the API or CLI. A user in AWS consists of a name, a password to sign into the AWS Management Console, and up to two access keys that can be used with the API or CLI.

AWS : CLI - 1

Mon, 01 Jan 0001 00:00:00 +0000

AWS CLI#

Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

CLI installation (Version 1)#

Install Python 3#

Python 2.7 is no longer supported. Please install python3
```
 sudo yum install python3
 pip3 --version
```

Profile Setup#

A named profile is a collection of settings and credentials that you can apply to a AWS CLI command. When you specify a profile to run a command, the settings and credentials are used to run that command.

AWS : CLI - 2

Mon, 01 Jan 0001 00:00:00 +0000

AWS CLI & VPC#

Following is a sample to create a VPC with 2 private subnets, 2 public subnets across 2 avaliable zones and NAT Gateway.

#!/bin/bash
#******************************************************************************
# AWS VPC CLI Script
#******************************************************************************
#
# SYNOPSIS
# Automates the creation of a custom IPv4 VPC, having both a public and a
# private subnet, and a NAT gateway.
#
#==============================================================================
#
# NOTES
# VERSION: 1.0
# AUTHOR: Harry Ho
#
#==============================================================================
# MODIFY THE SETTINGS BELOW
#==============================================================================
#
AWS_REGION="ap-southeast-2"
VPC_NAME="DEV-PG-II"
VPC_CIDR="10.5.0.0/16"
SUBNET_PUBLIC_CIDR="10.5.1.0/24"
SUBNET_PUBLIC_AZ="ap-southeast-2a"
SUBNET_PUBLIC_NAME="$VPC_NAME-PubSub-AZ2a"
SUBNET_PRIVATE_CIDR="10.5.2.0/24"
SUBNET_PRIVATE_AZ="ap-southeast-2b"
SUBNET_PRIVATE_NAME="$VPC_NAME-PrvSub-AZ2b"
IGW_NAME="$VPC_NAME-IGW"
NAT_GW_NAME="$VPC_NAME-NAT-GW"
CHECK_FREQUENCY=5
#
#==============================================================================
# DO NOT MODIFY CODE BELOW
#==============================================================================
#
# Create VPC
echo "Creating VPC in preferred region..."
VPC_ID=$(aws ec2 create-vpc \
 --cidr-block $VPC_CIDR \
 --query 'Vpc.{VpcId:VpcId}' \
 --output text \
 --region $AWS_REGION)
echo " VPC ID '$VPC_ID' CREATED in '$AWS_REGION' region."

# Add Name tag to VPC
aws ec2 create-tags \
 --resources $VPC_ID \
 --tags "Key=Name,Value=$VPC_NAME" \
 --region $AWS_REGION
echo " VPC ID '$VPC_ID' NAMED as '$VPC_NAME'."

# Create Public Subnet
echo "Creating Public Subnet..."
SUBNET_PUBLIC_ID=$(aws ec2 create-subnet \
 --vpc-id $VPC_ID \
 --cidr-block $SUBNET_PUBLIC_CIDR \
 --availability-zone $SUBNET_PUBLIC_AZ \
 --query 'Subnet.{SubnetId:SubnetId}' \
 --output text \
 --region $AWS_REGION)
echo " Subnet ID '$SUBNET_PUBLIC_ID' CREATED in '$SUBNET_PUBLIC_AZ'" \
 "Availability Zone."

# Add Name tag to Public Subnet
aws ec2 create-tags \
 --resources $SUBNET_PUBLIC_ID \
 --tags "Key=Name,Value=$SUBNET_PUBLIC_NAME" \
 --region $AWS_REGION
echo " Subnet ID '$SUBNET_PUBLIC_ID' NAMED as" \
 "'$SUBNET_PUBLIC_NAME'."

# Create Private Subnet
echo "Creating Private Subnet..."
SUBNET_PRIVATE_ID=$(aws ec2 create-subnet \
 --vpc-id $VPC_ID \
 --cidr-block $SUBNET_PRIVATE_CIDR \
 --availability-zone $SUBNET_PRIVATE_AZ \
 --query 'Subnet.{SubnetId:SubnetId}' \
 --output text \
 --region $AWS_REGION)
echo " Subnet ID '$SUBNET_PRIVATE_ID' CREATED in '$SUBNET_PRIVATE_AZ'" \
 "Availability Zone."

# Add Name tag to Private Subnet
aws ec2 create-tags \
 --resources $SUBNET_PRIVATE_ID \
 --tags "Key=Name,Value=$SUBNET_PRIVATE_NAME" \
 --region $AWS_REGION
echo " Subnet ID '$SUBNET_PRIVATE_ID' NAMED as '$SUBNET_PRIVATE_NAME'."

# Create Internet gateway
echo "Creating Internet Gateway..."
IGW_ID=$(aws ec2 create-internet-gateway \
 --query 'InternetGateway.{InternetGatewayId:InternetGatewayId}' \
 --output text \
 --region $AWS_REGION)
echo " Internet Gateway ID '$IGW_ID' CREATED."

# Add Name tag to Internet gateway
aws ec2 create-tags \
 --resources $IGW_ID \
 --tags "Key=Name,Value=$IGW_NAME" \
 --region $AWS_REGION
echo " Internet gateway '$IGW_ID' NAMED as '$IGW_NAME'."


# Attach Internet gateway to your VPC
aws ec2 attach-internet-gateway \
 --vpc-id $VPC_ID \
 --internet-gateway-id $IGW_ID \
 --region $AWS_REGION
echo " Internet Gateway ID '$IGW_ID' ATTACHED to VPC ID '$VPC_ID'."

# Create Route Table
echo "Creating Route Table..."
ROUTE_TABLE_ID=$(aws ec2 create-route-table \
 --vpc-id $VPC_ID \
 --query 'RouteTable.{RouteTableId:RouteTableId}' \
 --output text \
 --region $AWS_REGION)
echo " Route Table ID '$ROUTE_TABLE_ID' CREATED."


# Create route to Internet Gateway
RESULT=$(aws ec2 create-route \
 --route-table-id $ROUTE_TABLE_ID \
 --destination-cidr-block 0.0.0.0/0 \
 --gateway-id $IGW_ID \
 --region $AWS_REGION)
echo " Route to '0.0.0.0/0' via Internet Gateway ID '$IGW_ID' ADDED to" \
 "Route Table ID '$ROUTE_TABLE_ID'."

# Associate Public Subnet with Route Table
RESULT=$(aws ec2 associate-route-table \
 --subnet-id $SUBNET_PUBLIC_ID \
 --route-table-id $ROUTE_TABLE_ID \
 --region $AWS_REGION)
echo " Public Subnet ID '$SUBNET_PUBLIC_ID' ASSOCIATED with Route Table ID" \
 "'$ROUTE_TABLE_ID'."

# Enable Auto-assign Public IP on Public Subnet
aws ec2 modify-subnet-attribute \
 --subnet-id $SUBNET_PUBLIC_ID \
 --map-public-ip-on-launch \
 --region $AWS_REGION
echo " 'Auto-assign Public IP' ENABLED on Public Subnet ID" \
 "'$SUBNET_PUBLIC_ID'."

# Allocate Elastic IP Address for NAT Gateway
echo "Creating NAT Gateway..."
EIP_ALLOC_ID=$(aws ec2 allocate-address \
 --domain vpc \
 --query '{AllocationId:AllocationId}' \
 --output text \
 --region $AWS_REGION)
echo " Elastic IP address ID '$EIP_ALLOC_ID' ALLOCATED."

# Create NAT Gateway
NAT_GW_ID=$(aws ec2 create-nat-gateway \
 --subnet-id $SUBNET_PUBLIC_ID \
 --allocation-id $EIP_ALLOC_ID \
 --query 'NatGateway.{NatGatewayId:NatGatewayId}' \
 --output text \
 --region $AWS_REGION)

FORMATTED_MSG="Creating NAT Gateway ID '$NAT_GW_ID' and waiting for it to "
FORMATTED_MSG+="become available.\n Please BE PATIENT as this can take some "
FORMATTED_MSG+="time to complete.\n ......\n"
printf " $FORMATTED_MSG"
FORMATTED_MSG="STATUS: AVAILABLE - Total of %02d seconds elapsed for process"
FORMATTED_MSG+="\n ......\n NAT Gateway ID '%s' is now AVAILABLE.\n"
start_time="$(date -u +%s)"

aws ec2 wait nat-gateway-available \
 --nat-gateway-ids $NAT_GW_ID

end_time="$(date -u +%s)"
elapsed="$(($end_time-$start_time))" 

printf " $FORMATTED_MSG" $elapsed $NAT_GW_ID

# Add Name tag to NAT Gateway
aws ec2 create-tags \
 --resources $NAT_GW_ID \
 --tags "Key=Name,Value=$NAT_GW_NAME" \
 --region $AWS_REGION
echo " Internet gateway '$NAT_GW_ID' NAMED as '$NAT_GW_NAME'."


# Create route to NAT Gateway
MAIN_ROUTE_TABLE_ID=$(aws ec2 describe-route-tables \
 --filters Name=vpc-id,Values=$VPC_ID Name=association.main,Values=true \
 --query 'RouteTables[*].{RouteTableId:RouteTableId}' \
 --output text \
 --region $AWS_REGION)
echo " Main Route Table ID is '$MAIN_ROUTE_TABLE_ID'."
RESULT=$(aws ec2 create-route \
 --route-table-id $MAIN_ROUTE_TABLE_ID \
 --destination-cidr-block 0.0.0.0/0 \
 --gateway-id $NAT_GW_ID \
 --region $AWS_REGION)
echo " Route to '0.0.0.0/0' via NAT Gateway with ID '$NAT_GW_ID' ADDED to" \
 "Route Table ID '$MAIN_ROUTE_TABLE_ID'."
echo "COMPLETED"

AWS : CLI - 3

Mon, 01 Jan 0001 00:00:00 +0000

AWS CLI & & Security Group#

Sometimes it is so annoying to update the rules of security group one by one, because of the change of your public IP address. Following is a script to make such change easier.

The script will only update the SSH / RDP protocals of specified the security groups. The SSH and RDP are most popular ones which allow admin to access the remote EC2.

AWS: VPC - 1

Mon, 01 Jan 0001 00:00:00 +0000

VPC Part 1#

Key concepts#

A virtual private cloud (VPC) is a virtual network dedicated to your AWS account.
A subnet is a range of IP addresses in your VPC.
A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.
An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. It therefore imposes no availability risks or bandwidth constraints on your network traffic.
A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.

IP addressing#

Once the VPC is created, its CIDR block range can NOT be chagned.
To change CIDR size, you need to create a new VPC
The different subnets within a VPC can NOT be overlap.
Can expand VPC by adding secondary IPv4 CIDR blocks

Default VPC#

AWS creates a default VPC for you in each region. The default VPC will include 1 CIDR block, 1 route table, 1 DHCP options set, 1 Network ACL, 1 Security Group, 1 Internet Gateway, and 3~6 Subnets. The number of subnet depends on the number of Available Zone in the region.

AWS: VPC - 2

Mon, 01 Jan 0001 00:00:00 +0000

VPC Part 2#

VPC has an implicit router (implied router), and you use route tables to control where network traffic is directed.

Route table#

Have up to 200 route tables per VPC
Have up to 50 route entries per route table
Each subnet must be associated with only one route table
The subent (when created) will be associated with main (default) VPC route table
Can change the subnet association to another route table
Can NOT delete the main route table
Every route table in a VPC comes with a default rule that allows all VPC subnets to comminunicate with one another. This rule can NOT be modified or deleted.

Security Group#

It is a virtual firewall
It controls traffic at the EC2ss level
Up to 5 security groups per EC2
Stateful, return traffic, of allowed inbound traffic, is allowed, even if there are no rules to allow it.
Can only have permit rules, can NOT have deny rules
Implicit deny rule at the end
Security group is associated wth EC2’s network interface
Any change on security group takes effect immediately
Default security groupd can not be deleted
It is VPC resource, hence, different EC2 in differenet AZs within the same VPC, can have the same security group applied to them.
It can NOT block a certain range of IP addresses from Internet from gettting to EC2 fleets

Default vs Customized Group#

The default security group has inbound and outbound rules when created. The inboud rule allows all traffics in from the same security group. The outbound rule allows all traffics to any destination. The customized security group has outbound rule only by default.

AWS: VPC - 3

Mon, 01 Jan 0001 00:00:00 +0000

VPC Part 3#

Endpoint#

A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components. They allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.

AWS: VPC - 4

Mon, 01 Jan 0001 00:00:00 +0000

VPC Part 4#

Simples demo#

Diagram of customized VPC - MyDemoVPC with Internet Gatway and VPN connect

graph LR
 InternetGW(Internet Gateway)
 VirtualGW(Virtual Gateway)
 INTER(Internet - Public)
 InternetGW --- INTER
 VirtualGW --- SERVER
 subgraph MyDemoVPC
 EC2_A(EC2 Instannce A)
 EC2_B(EC2 Instannce B)
 EC2_E(EC2 Instannce E)
 EC2_F(EC2 Instannce F)
 EC2_C[(Database Master)]
 EC2_D[(Database Slave)]
 MainRouteTable(10.0.0.0/16)
 PrvSubnet(10.0.2.0/24)
 PubSubnet(10.0.1.0/24)
 VPNSubnet(10.0.3.0/24)
 MainRouteTable --- InternetGW
 MainRouteTable --- NetworkACL
 NetworkACL --- PubSecGrp
 NetworkACL --- PrivSecGrp
 PrivSecGrp --- PrvSubnet
 VPNSubnet --- VirtualGW
 VPNSubnet --- MainRouteTable
 PubSecGrp --- PubSubnet
 subgraph Implied_Router
 MainRouteTable(10.0.0.0/16)
 end 
 subgraph Private_Subnet
 PrvSubnet
 EC2_C
 EC2_D
 end
 subgraph Public_Subnet
 PubSubnet
 EC2_A
 EC2_B
 end
 subgraph VPN_Subnet
 VPNSubnet
 EC2_E
 EC2_F
 end
 end
 InternetGW
 subgraph Internet
 INTER
 end
 subgraph OnPremise
 SERVER
 end

Customized Route tables of Subnet Public_Subnet

Destination	Target
10.0.1.0/16	local
2002:0a00:0100:0:0:0:0:0/56	local
0.0.0.0/0	InternetGW
::0/0	InternetGW

Main Route tables of Subnet Private_Subnet

Destination	Target
10.0.1.0/16	local
2002:0a00:0100:0:0:0:0:0/56	local

Route table of Subnet VPN_Subnet

Destination	Target
10.0.1.0/16	local
2002:0a00:0100:0:0:0:0:0/56	local
0.0.0.0/0	VirtualGW

AWS: VPC - 5

Mon, 01 Jan 0001 00:00:00 +0000

VPC Part 5#

Direct Connect#

AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you can establish private connectivity between AWS and your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections.

Using industry standard 802.1q VLANs, this dedicated connection can be partitioned into multiple virtual interfaces. This allows you to use the same connection to access public resources such as objects stored in Amazon S3 using public IP address space, and private resources such as Amazon EC2 instances running within an Amazon Virtual Private Cloud (VPC) using private IP space, while maintaining network separation between the public and private environments. Virtual interfaces can be reconfigured at any time to meet your changing needs.

AWS: S3 - 1

Mon, 01 Jan 0001 00:00:00 +0000

S3 Part 1#

Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.

Storage feature#

Amazon S3 has various features you can use to organize and manage your data in ways that support specific use cases, enable cost efficiencies, enforce security, and meet compliance requirements. Data is stored as objects within resources called “buckets”, and a single object can be up to 5 terabytes in size. Amazon S3 offers a range of storage classes designed for different use cases.

AWS: S3 - 2

Mon, 01 Jan 0001 00:00:00 +0000

S3 Part 2#

Access#

Access status#

The list buckets view shows whether your bucket is publicly accessible. Amazon S3 labels the permissions for a bucket as follows:

Public – Everyone has access to one or more of the following: List objects, Write objects, Read and write permissions.
Objects can be public – The bucket is not public, but anyone with the appropriate permissions can grant public access to objects.
Buckets and objects not public – The bucket and objects do not have any public access.

AWS: S3 - 3

Mon, 01 Jan 0001 00:00:00 +0000

Use Case#

Problem#

Block all traffic to my Amazon Simple Storage Service (Amazon S3) bucket unless the traffic is from specific Amazon Virtual Private Cloud (VPC) endpoints or certain external IP addresses.

Resolution#

Use a bucket policy to specify which VPC endpoints or external IP addresses can access the S3 bucket.

Note: An external IP address is a public IP address that can be from within a VPC or outside of a VPC. For example, an external IP address can be an Amazon Elastic Compute Cloud (Amazon EC2) instance’s Elastic IP address, or the IP address of a VPC’s NAT gateway or proxy server.

AWS: SQS,SNS,SES - 1

Mon, 01 Jan 0001 00:00:00 +0000

SQS#

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS eliminates the complexity and overhead associated with managing and operating message oriented middleware, and empowers developers to focus on differentiating work. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available. Get started with SQS in minutes using the AWS console, Command Line Interface or SDK of your choice, and three simple commands.

AWS: SQS,SNS,SES - 2

Mon, 01 Jan 0001 00:00:00 +0000

Use Case#

Overview#

graph LR
 Sender_Email("test@test.com")
 Email_Failed
 Email_Delivered
 SNS_Subscriptions --> Email_Failed
 SNS_Subscriptions --> Email_Delivered
 Bounce_Notification --> Email_Failed
 Complaint_Notification --> Email_Failed
 Delivery_Notification --> Email_Delivered
 subgraph SQS 
 subgraph Email_Status_Queue
 SNS_Subscriptions
 end
 end 
 subgraph SNS
 subgraph Topics
 Email_Failed
 Email_Delivered
 end
 end
 subgraph SES
 Sender_Email
 subgraph Notifications
 Bounce_Notification 
 Complaint_Notification 
 Delivery_Notification 
 end
 end

Create a topic for failed email, e.g. bounce or spam complaint
- It is named Email_Failed in the diagram above
Create a topic for delivered email

AWS: EKS - 1

Mon, 01 Jan 0001 00:00:00 +0000

EKS - Part 1#

Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that makes it easy for you to run Kubernetes on AWS without needing to stand up or maintain your own Kubernetes control plane. Kubernetes is an open-source system for automating the deployment, scaling, and management of containerized applications.

EKS runs Kubernetes control plane instances across multiple Availability Zones to ensure high availability.
EKS automatically detects and replaces unhealthy control plane instances.
EKS provides automated version upgrades and patching for them.
EKS is also integrated with many AWS services to provide scalability and security.

eksctl#

Install the Latest AWS CLI

AWS: EKS - 2

Mon, 01 Jan 0001 00:00:00 +0000

EKS - Part 2#

The update process consists of Amazon EKS launching new API server nodes with the updated Kubernetes version to replace the existing ones. Amazon EKS performs standard infrastructure and readiness health checks for network traffic on these new nodes to verify that they are working as expected. If any of these checks fail, Amazon EKS reverts the infrastructure deployment, and your cluster remains on the prior Kubernetes version. Running applications are not affected, and your cluster is never left in a non-deterministic or unrecoverable state. Amazon EKS regularly backs up all managed clusters, and mechanisms exist to recover clusters if necessary. We are constantly evaluating and improving our Kubernetes infrastructure management processes.

AWS: EKS - 3

Mon, 01 Jan 0001 00:00:00 +0000

EKS - Part 3#

Cluster Autoscaler#

The Kubernetes Cluster Autoscaler automatically adjusts the number of nodes in your cluster when pods fail to launch due to lack of resources or when nodes in the cluster are underutilized and their pods can be rescheduled onto other nodes in the cluster.

Strategy of auto scaling#

Stateful application

If you are running a stateful application across multiple Availability Zones that is backed by Amazon EBS volumes and using the Kubernetes Cluster Autoscaler, you should configure multiple node groups, each scoped to a single Availability Zone.

AWS: EKS - 4

Mon, 01 Jan 0001 00:00:00 +0000

EKS - Part 4#

VPC Tagging#

Key: The value matches your Amazon EKS cluster’s name.
Value: The shared value allows more than one cluster to use this VPC.

Key	Value
kubernetes.io/cluster/<cluster-name>	shared

Load Balancing#

Amazon EKS supports the Network Load Balancer and the Classic Load Balancer for pods running on Amazon EC2 instance worker nodes through the Kubernetes service of type LoadBalancer. Classic Load Balancers and Network Load Balancers are not supported for pods running on AWS Fargate (Fargate).

AWS: EKS - 5

Mon, 01 Jan 0001 00:00:00 +0000

EKS - Part 5#

Metrics Server#

The Kubernetes metrics server is an aggregator of resource usage data in your cluster, and it is not deployed by default in Amazon EKS clusters. The metrics server is commonly used by other Kubernetes add ons, such as the Horizontal Pod Autoscaler or the Kubernetes Dashboard.

Deploy the metrics server

 kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.3.6/components.yaml

Verify that the metrics-server deployment

 kubectl get deployment metrics-server -n kube-system

Prometheus#

The Kubernetes API server exposes a number of metrics that are useful for monitoring and analysis. These metrics are exposed internally through a metrics endpoint that refers to the /metrics HTTP API. Like other endpoints, this endpoint is exposed on the Amazon EKS control plane.

AWS: RDS - 1

Mon, 01 Jan 0001 00:00:00 +0000

RDS#

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups.

Backup & Restore SQL Server#

Backup database to S3#

Assumption
- DB name: sample_db
- S3 bucket name: sql-server-backup

Backup with built-in stored proc

 exec msdb.dbo.rds_backup_database 
 @source_db_name='sample_db', 
 @s3_arn_to_backup_to='arn:aws:s3:::sql-server-backup/sample_db_20191221.bak', 
 @overwrite_S3_backup_file=1;

Track status

AWS on My Notes

AWS: IAM

IAM#

Root User#

Dos and Don’ts#

Features & Functions#

MFA#

IAM User#

AWS : CLI - 1

AWS CLI#

CLI installation (Version 1)#

Install Python 3#

Profile Setup#

AWS : CLI - 2

AWS CLI & VPC#

AWS : CLI - 3

AWS CLI & & Security Group#

AWS: VPC - 1

VPC Part 1#

Key concepts#

IP addressing#

Default VPC#

AWS: VPC - 2

VPC Part 2#

Route table#

Security Group#

Default vs Customized Group#

AWS: VPC - 3

VPC Part 3#

Endpoint#

AWS: VPC - 4

VPC Part 4#

Simples demo#

AWS: VPC - 5

VPC Part 5#

Direct Connect#

AWS: S3 - 1

S3 Part 1#

Storage feature#

AWS: S3 - 2

S3 Part 2#

Access#

Access status#

AWS: S3 - 3

Use Case#

Problem#

Resolution#

AWS: SQS,SNS,SES - 1

SQS#

AWS: SQS,SNS,SES - 2

Use Case#

Overview#

SNS Setup#

AWS: EKS - 1

EKS - Part 1#

eksctl#

AWS: EKS - 2

EKS - Part 2#

AWS: EKS - 3

EKS - Part 3#

Cluster Autoscaler#

Strategy of auto scaling#

AWS: EKS - 4

EKS - Part 4#

VPC Tagging#

Load Balancing#

AWS: EKS - 5

EKS - Part 5#

Metrics Server#

Prometheus#

AWS: RDS - 1

RDS#

Backup & Restore SQL Server#

Backup database to S3#